tty: hvc_console, fix crashes on parallel open/close
authorJiri Slaby <jslaby@suse.cz>
Tue, 26 May 2020 14:56:32 +0000 (16:56 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 27 May 2020 08:55:36 +0000 (10:55 +0200)
commit24eb2377f977fe06d84fca558f891f95bc28a449
treec5d0a604006aec9b2ff62193243b69bb8ca382a6
parent8f065acec7573672dd15916e31d1e9b2e785566c
tty: hvc_console, fix crashes on parallel open/close

hvc_open sets tty->driver_data to NULL when open fails at some point.
Typically, the failure happens in hp->ops->notifier_add(). If there is
a racing process which tries to open such mangled tty, which was not
closed yet, the process will crash in hvc_open as tty->driver_data is
NULL.

All this happens because close wants to know whether open failed or not.
But ->open should not NULL this and other tty fields for ->close to be
happy. ->open should call tty_port_set_initialized(true) and close
should check by tty_port_initialized() instead. So do this properly in
this driver.

So this patch removes these from ->open:
* tty_port_tty_set(&hp->port, NULL). This happens on last close.
* tty->driver_data = NULL. Dtto.
* tty_port_put(&hp->port). This happens in shutdown and until now, this
  must have been causing a reference underflow, if I am not missing
  something.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: Raghavendra <rananta@codeaurora.org>
Link: https://lore.kernel.org/r/20200526145632.13879-1-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/tty/hvc/hvc_console.c